Whaleshares Logo

decipher the passwords of your user account with John the Ripper

erkanPosted last year for Everyone to comment on2 min read

I wanted to try out the password cracker "John the Ripper" (1).

  • I had to set up the config file first correctly (the fast step for a newbie without reading too much is to grab the one from github (see below) and comment out 3 sections) (2)
  • the result was stunning: John was so fast to crack this! This should be shown to users who set easy passwords!

I. get the password files (as root, or (3)):

umask 077
unshadow /etc/passwd /etc/shadow > mypasswd

II. I had to create the config file first:

fopen: /usr/share/john/john.conf: No such file or directory

III. then I tried:

john mypasswd
    Loaded 1 password hash (descrypt, traditional crypt(3) [DES 32/32])
    No "single crack" mode rules found in /usr/share/john/john.conf

then I read into the options of the config file, and added:

Wordlist = /home/tux/Downloads/all
#from: https://download.openwall.net/pub/wordlists/all.gz

but still no success. Still same message!

V. So I googled for an existing config file
and tried this one:

I had to remove 3 sections where it complained later at running:
#Error in /usr/share/john/john.conf at line 432

and then it worked :-)

and boy was that fast (the test password was: 1234567)!

john mypasswd

john --show mypasswd
    root:**1234567**:0:0:Root Administrator:/root:/bin/sh
    tux:NO PASSWORD:1000:100:SliTaz User:/home/tux:/bin/sh

    2 password hashes cracked, 0 left

(1) After cooking a @SliTaz package you also have to test it.
So, here is how the test went,
and I can use this for my future package builds to use.

(2) Later I saw that github repo is from 2013,
so better find another repo first.
But that is what DuckDuckGo gave me on the 1st page

(3) or your local state agency utilizes flaws in specific software packages of your OS ;-)

Sign Up to join this conversation, or to start a topic of your own.
Your opinion is celebrated and welcomed, not banned or censored!